bpo-31399: Only expose useful hostflags

Remove all hostflags except for NO_PARTIAL_WILDCARDS and
NEVER_CHECK_SUBJECT. The other flags aren't that useful at the moment.

Don't support OpenSSL special mode with a leading dot, e.g.
".example.org" matches "www.example.org". It's not standard conform.

Signed-off-by: Christian Heimes <[email protected]>

Author: tiran

Doc/library/ssl.rst

@@ -431,11 +431,12 @@ Certificate handling
       of the certificate, is now supported.
 
    .. versionchanged:: 3.7
-      The function is no longer used. Hostname matching is now performed
-      by OpenSSL.
+      The function is no longer used to TLS connections. Hostname matching
+      is now performed by OpenSSL.
 
       Allow wildcard when it is the leftmost and the only character
-      in that segment.
+      in that segment. Partial wildcards like ``www*.example.com`` are no
+      longer supported.
 
    .. deprecated:: 3.7
 
@@ -599,31 +600,15 @@ Constants
 
    .. versionadded:: 3.7
 
-.. attribute:: HostFlags.HOSTFLAG_ALWAYS_CHECK_SUBJECT
-
-   Consider subject CN even if the certificate contains at least one subject
-   alternative name. This flag violates :rfc:`6125`.
-
-.. attribute:: HostFlags.HOSTFLAG_NO_WILDCARDS
-
-   Don't support wildcard certificate, e.g. ``*.example.org``.
-
 .. attribute:: HostFlags.HOSTFLAG_NO_PARTIAL_WILDCARDS
 
    Dont' support wildcard certificate with partial matches, e.g.
    ``www*.example.org``.
 
-.. attribute:: HostFlags.HOSTFLAG_MULTI_LABEL_WILDCARDS
-
-   Wildcards match multiple labels, e.g. ``www.subdomain.example.org``
-   matches ``*.example.org`` This flag violates :rfc:`6125`.
-
-.. attribute:: HostFlags.HOSTFLAG_SINGLE_LABEL_SUBDOMAINS
-
 .. attribute:: HostFlags.HOSTFLAG_NEVER_CHECK_SUBJECT
 
    Ignore subject CN even if the certificate has no subject alternative
-   names.
+   name extension.
 
    .. note:: The flag is not available when the ssl module is compiled
       with OpenSSL 1.0.2 or LibreSSL.
@@ -1781,8 +1766,7 @@ to speed up repeated connections from the same clients.
 .. attribute:: SSLContext.host_flags
 
    The flags for validating host names. By default
-   :data:`HostFlags.HOSTFLAG_SINGLE_LABEL_SUBDOMAINS` and
-   :data:`HostFlags.HOSTFLAG_NO_PARTIAL_WILDCARDS` are set.
+   :data:`HostFlags.HOSTFLAG_NO_PARTIAL_WILDCARDS` is set.
 
    .. versionadded:: 3.7
 

Lib/asyncio/sslproto.py

@@ -590,7 +590,6 @@ def _on_handshake_complete(self, handshake_exc):
                 raise handshake_exc
 
             peercert = sslobj.getpeercert()
-            # Since 3.7, the hostname is matched by OpenSSL during handshake.
         except BaseException as exc:
             if self._loop.get_debug():
                 if isinstance(exc, ssl.CertificateError):

Lib/test/test_ssl.py

@@ -1511,6 +1511,16 @@ def test_bad_idna_in_server_hostname(self):
             ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
                          server_hostname="xn--.com")
 
+    def test_bad_server_hostname(self):
+        ctx = ssl.create_default_context()
+        with self.assertRaises(ValueError):
+            ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
+                         server_hostname="")
+        with self.assertRaises(ValueError):
+            ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
+                         server_hostname=".example.org")
+
+
 class MemoryBIOTests(unittest.TestCase):
 
     def test_read_write(self):

Modules/_ssl.c

@@ -713,17 +713,30 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
     int retval = -1;
     ASN1_OCTET_STRING *ip;
     PyObject *hostname;
+    size_t len;
 
     assert(server_hostname);
 
+    /* Disable OpenSSL's special mode with leading dot in hostname:
+     * When name starts with a dot (e.g ".example.com"), it will be
+     * matched by a certificate valid for any sub-domain of name.
+     */
+    len = strlen(server_hostname);
+    if (len == 0 || *server_hostname == '.') {
+        PyErr_SetString(
+            PyExc_ValueError,
+            "server_hostname cannot be an empty string or start with a "
+            "leading dot.");
+        return retval;
+    }
+
     /* inet_pton is not available on all platforms. */
     ip = a2i_IPADDRESS(server_hostname);
     if (ip == NULL) {
         ERR_clear_error();
     }
 
-    hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname),
-                                "idna", "strict");
+    hostname = PyUnicode_Decode(server_hostname, len, "idna", "strict");
     if (hostname == NULL) {
         goto error;
     }
@@ -2811,10 +2824,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
         return NULL;
     }
     self->ctx = ctx;
-    self->hostflags = (
-        X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS |
-        X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-    );
+    self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
 #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     self->npn_protocols = NULL;
 #endif
@@ -5564,30 +5574,12 @@ PyInit__ssl(void)
                             SSL_OP_NO_COMPRESSION);
 #endif
 
-#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-    PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",
-                            X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT);
-#endif
 #ifdef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
     PyModule_AddIntConstant(m, "HOSTFLAG_NEVER_CHECK_SUBJECT",
                             X509_CHECK_FLAG_NEVER_CHECK_SUBJECT);
 #endif
-#ifdef X509_CHECK_FLAG_NO_WILDCARDS
-    PyModule_AddIntConstant(m, "HOSTFLAG_NO_WILDCARDS",
-                            X509_CHECK_FLAG_NO_WILDCARDS);
-#endif
-#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
     PyModule_AddIntConstant(m, "HOSTFLAG_NO_PARTIAL_WILDCARDS",
                             X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-#endif
-#ifdef X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-    PyModule_AddIntConstant(m, "HOSTFLAG_MULTI_LABEL_WILDCARDS",
-                            X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS);
-#endif
-#ifdef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-    PyModule_AddIntConstant(m, "HOSTFLAG_SINGLE_LABEL_SUBDOMAINS",
-                            X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS);
-#endif
 
 #if HAVE_SNI
     r = Py_True;